An estimated 30 percent (or $328B) of all provider revenue came out of patients’ own pockets in 2012, and with patient financial responsibility on the rise due to high deductible and high co-insurance plans, collecting on these payments continues to be a hot issue for the health care industry.In fact, improving consumer billing and payments was a main focus at the Healthcare Financial Management Association’s ANI 2014 Conference. Here are the three most promising best practices we heard at the show...

Some of the discussion highlights that I took away from the evening are:

Nassar explained that Authenticity (is this component, H/W or S/W, authorized in this environment / ecosystem?) and Authentication for Service are key in the Internet of Things.

Malloy provided the following stat: US is 27% of the credit card volume in the world, but almost 50% of the fraud. He then went on to explain 'There are clear initiatives to protect the point-of-sale, which will immediately result in fraud moving online. With online and mobile payments showing continued year-over-year double-digit growth, we have to protect online transactions. Hackers aren't going anywhere'.

Malloy listed the three key challenges that Oath addresses: Theft, usability to share data and lack of federated, single sign-on framework.

There must be transparent opt-in / opt-out options that provide users with alternatives (i.e. Yes, I want to use the service but do not want to authenticate myself via fingerprint. What other option do I have?) that are in compliance with providers required level of assurance. 'At the end of the day is all about context and consent' concluded McGoran.

Taveau: 'We are our own currency. Today we talk about the Internet of Things. Tomorrow we will talk about the Internet of Me'. Note: In the same vein as Dave Birch's statement 'Identity is the new money'.

Bluelivis a complete end-to-end Cloud-based Cyber Threat Intelligence Technology that protects organizations from credit card fraud, data and credentials theft and the latest malware trends. One way in which the company does this, is that it hacks hackers, learns from it and sells data / 'best practices' to financial services companies.

Key attributes to balance when creating an authentication services? Security, convenience, ease of use, privacy, trust and cost.Consumers will only use companies they trust and will assume solutions are secure. They do not care about cost (they are not normally charged, at least not directly). They always focus on convenience and ease of use; sometimes on privacy.

Casals predicts that in 5 years, there will be strong privacy requirements dictated by governmental agencies, and strong companies with well-developed business models around them.

Merchants and banks can greatly benefit from improved authentication.Merchants: If they had access to strong authentication platforms, could they bypass the existing ecosystem and taken on transaction risk themselves? Banks: In Japan, a 10x increase in fraud between 2012 and 2013 has moved the top 5 banks to heavily promote 2-factor authentication to their customers. In general, banks will favor tools that help them improve risk management.

Target's servers were hacked because the credentials of an administrator were stolen and misused. Stronger authentication and authorization procedures may have avoided the issue.

Centralized credential storage makes it easy for hackers, with high rewards for each breach. 'It is important to decentralize the credential to prevent having a valuable target for hackers' stated Nassar.

There are non-public FIDO members, including banks and retailers. The same thing happens with Oath, many organizations certify and deploye Oath solutions without holding membership.

Mobile carriers have missed the mobile payments window and are now working on mobile identity. They have a lot to offer around authentication and identity (secure element + customer knowledge), but they are very difficult to work with. As McGoran reminded us, 'He who enrolls, controls'.

From BayPay Forum Events Page - March 6th, 6 pm, Menlo Park: Authentication and Identity continues to be a ‘hot topic’ in 2014, with more activity in the private and public sector than ever before. Developments in this arena are also having deep impacts in the world of commerce, payments and banking – both online and offline.

We are very excited to invite you to the second event of the Authentication and Identity Track. The first event took place a few months back with excellent feedback and clear indication that this was a topic of interest for the BayPay Community. For this reason, we are planning four quarterly events for 2014, with the first one taking place on March 6th. Our panel will include key representatives of companies such as Symantec, Synaptics, NXP and Exponent. All of them deeply involved in great industry-wide initiatives, such as FIDO, OATH and NSTIC. The discussion will center on current and developing technologies and frameworks to authenticate customers - whether consumers or enterprise users - at the time a transaction takes place. Biometrics, contextual information, hardware- and software-based tokens, adaptive security, device-based and cloud-based solutions, consumer experience and adoption… These are some of the topics that are likely to come up during our panel conversation. Agenda and Registration.

Trish's Comment: It has finally come time to hold the second event of the BayPay Forum Authentication and Identity Track.

Our panellists are well known authentication, security, privacy and identity professionals involved in some of the most exciting solutions - such as biometrics, H/W and S/W tokens, behavioral monitoring and industry initiatives - including FIDO, Open Authentication and NSTIC. Let me 'introduce' them to you (in alphabetical order):

Don Malloy - Chairman of the Open Authentication (OATH) Initiative and Director of Business Development & Product Marketing at Direct RM.

Don has been leading OATH (do not confuse with OAuth, which is Open Authorization) for many years, and has been instrumental in its expansion. OATH's vision calls for creation of a common, open standards-based authentication platform, where enterprises can authenticate all users, all devices, and all networks, all the time. Powerful industry names, such as Verisign, Gemalto, Active IDentity and Symantec are collaborating to make this vision a reality.

Brad McGoran - Principal Engineer at Exponent.Exponent was awarded one of the 2013 NSTIC Pilot Grants, and Brad is very involved in this project. The focus of their project is to issue secure, easy-to-use and privacy-enhancing credentials - called 'derived credentials' - to the Defense Department, among other participants. I am sure he will tell you all about it himself!

Sami Nassar - VP & GM of Authentication at NXP and Member of FIDO Board of DirectorsSami's participation in this panel is exciting for three reasons: NXP relevance and growth in the authentication, identity and security space; the very recent joint announcement made by NXP / Nok Nok Labs at RSA about the FIDO Ready(﻿﻿TM﻿﻿) UAF equipped smart phone; Sami's participation in FIDO's Board of Director's since NXP joined in February of 2013

Sebastien Taveau - Chief Evangelist atSynaptics and Board Member of The FIDO AllianceFirst of all, what is not to love about somebody whose title include the words 'Chief Evangelist'? By the way, his title at PayPal (a few years back) was 'Astronomer / Principal'. Another great one!

In all seriousness, he is another great addition to our panel given his accomplishments in the field of commerce, payment and mobile security as Board Member of FIDO and during his tenure at Validity - he was part of the core team crafting the turnaround which resulted in the acquisition of Validity by Synaptics for a deal valued at $255M -, PayPal - helping build PayPal's foundation of mobile commerce and security - and QSecure.

At the beginning of the event, each of our guests will provide his view of the current state of the industry, how his work - and that of his company - fits within current trends, and his view of how the ecosystem will evolve in the next 3 to 5 years. This will help us all get some good insights into the industry and will set the stage for the Q&A session.

Some of the topics that will certainly come up during our conversation - and I am expecting some heated debate - may be:

Where do you think the authentication and identity industry will be in 5 years? What role do you think your company will play? What about FIDO, OATH, NSTIC and other similar initiatives?

How can we balance customer choice, convenience, security and privacy to ensure appropriate level of assurance for businesses and adoption by consumers?

What are the true authentication requirements for payments and commerce?

How can the new authentication technologies help us move from card present / card not present to consumer present / consumer not present?

What are the pluses / minuses of biometrics vs. non-biometric approaches to authentication? What are the implication on privacy for each of these approaches?

And many more!

So if these questions resonate with you and you are curious about the space, please, come an join us on March 6th!

From 'Introduction to Covered California. Participant Guide': Covered California is our state’s new health insurance marketplace, the place to go for affordable health care coverage.

Soon after the passage of the Affordable Care Act of 2010, the State of California became the first state in the nation to enact legislation to establish a health insurance marketplace. Although originally known as the California Health Benefit Exchange, the state adopted “Covered California” as the business name for California’s health insurance marketplace through which individuals and small businesses can access affordable health insurance plans.

Consumers can use Covered California to learn about and buy health insurance and to determine if they qualify for federal premium assistance that can lower the cost of insurance up to 90 percent. Covered California is a leader in ”active purchasing,” which means it negotiated the prices with health plans, ensuring that consumers get the best prices possible for quality health insurance. This is a tremendous benefit to consumers because it enables consumers to do apples-to-apples comparisons of a number of plans based on price, not services. Continued.

Trish's Comment: Let's assume that all healthcare.gov - and in California, also coveredca.gov - website issues have been solved, so people can easily compare insurance options and buy coverage. Let's also fast-forward to a point in time when back-end systems are fully functional - reconciliations with insurers are done automatically, subsidy-eligibility is also automatically communicated to the insurance company and paid as appropriate... That is, let's think about how ongoing operations would look like for a healthcare marketplace, the insurers providing services and the citizens / residents receiving those services. And given my interest in payments, let's take the case of the California Marketplace (Covered California - coveredca.gov) and focus on how payments will flow across the ecosystem.

What is the flow of funds between insurers and the marketplace?

An insurer will need to pay the marketplace a fee each time a customer signs up for one of their plans. This is how Covered California expects to be financially self-sustaining (i.e. not taxpayer-funded) by 2015.

The marketplace - in fact, the government it represents - will have to pay the insurer the subsidies applicable to the customers that are eligible to receive them. Also, at least in the case of Covered California Small Business Health Options Program (SHOP), each small business will pay fees to Covered California, which in turn will pass on the payment to the corresponding insurer.

These are all enterprise-level payments that, once all the back-end systems are in place, should happen safely and reliably.

What is the flow of funds between consumers / businesses and their insurer / marketplace?

This is the part that I find most interesting. Again, if we focus on Covered California:

What jumped at me from these lists of options is the lack of fast, convenient and inexpensive methods of payment for businesses and unbanked / underbanked consumers.

Why as a business dealing with Covered California can I only pay by sending a letter over regular or overnight mail with all the time and risk implications this entails?

Most businesses (if not all), will have bank accounts and probably also credit cards. Why not allow for some of the other easy, convenient and safe methods of payment?

Why as an underbanked or unbanked consumer - probably a very high percentage of the population targeted by marketplaces and those that can least afford additional charges - do I need to pay between $1.10 and $12 to make my monthly insurance payments (average cost for transactions that are not bank account or credit card based, based on the information from Get Covered Illinois)? Why do I need to drive or walk to my nearest USPS Post Office, bank or credit union - often not all that convenient - to pay?

Why not allow payment with reloadable - and therefore registered - prepaid cards? Why not enable PayPal payments, where unbanked / underbanked can load money into their accounts through MoneyPaks? Or even, why not enable PayNearMe, for those that want to transact with cash?

Enabling alternative methods of payments that suit the unbanked / underbanked - such as reloadable prepaid cards, PayPal or PayNearMe - should be simple and go a long way to promote a vibrant ecosystem.

From American Banker by Penny Crosman - 'AT&T's Bid to Intertwine Its Services with Mobile Banking Apps': AT&T would like to partner with banks on their mobile banking apps, providing a range of hosted services from call recording to videoconferencing to geolocation services to mobile identity verification.

But the technology and approach the two companies are taking are somewhat different. Continued.Trish's Comment: From my perspective, this last sentence is an understatement. The technology and approach the two companies are taking are not 'somewhat different', they are very different! At the risk of oversimplifying, I would characterize the two approaches in the following way:

AT&T wants to enable others - be it banks, retailers or other companies - to build more robust and secure authentication and identity systems by letting these third-parties access some of its services via APIs. Basically, AT&T allows other companies to build 'hooks' into its network to access key capabilities - such as communications, videoconferencing, location services and account information - to better authenticate and identify their users.

Verizon is building its own authentication and identity service, called Verizon Universal ID, that will be used by entities across the internet and other public and private online / remote services. This means that Verizon would be an identity provider and therefore responsible for authenticating a user, and I imagine also liable in case of error or breach.

The company would use the device ID (the knowledge that a particular smartphone or tablet is registered to a certain user) as the basic building block to verify a user, but it could also use other information such as geo-location or biometrics. The idea is to provide strong authentication without the use of passwords, or at the very least, minimizing the role that passwords play in the process.

In all fairness, both companies provide APIs and developer tools for their developer communities, and they both understand the potential revenue stream that may come from providing mobile network services to third parties. Having said this, it is clear that the companies have different priorities, since as a whole, the number and diversity of APIs provided by AT&T is much greater than that provided by Verizon; not to mention AT&T Mobile Identity Toolkit API, which does not have a similar counterpart within Verizon's API set.

AT&T is part of effort lead by the American Association of Motor Vehicle Administrators (AAMVA) to implement the Cross Sector Digital Identity Initiative (CSDII) to produce a secure online identity ecosystem that will enhance privacy and reduce the risk of fraud. A central goal of the project is to explore the integration of government-issued driver license verification information with other types of commercial identity verification techniques, including those that can be provided through AT&T Mobile Identity Tookit.

Verizon joined a project lead by Criterion Systems and focused on simplifying online identity verification and increasing online trust. In a nutshell, the idea is for users to log in across the internet by using a single, or a few, identity providers (government agency, bank, social network, or telecom) with whom they have an established online relationship.

This identity provider should be able to use 'trust elevation' tactics at a large scale. This means combining a user name and password with additional information to achieve multi-factor authentication. Of course, the identity provider could be a government agency, a bank, a social network, or of course, a telecom provider such as Verizon.

In my opinion both approaches are complementary and should be pursued by both telcos simultaneously (notwithstanding resource constraints):

There are many companies that can provide authentication and identity services - including mobile operating systems such as Android and iOS, banks and maybe even major online retailers such as Amazon. In fact, for regulatory and legal reasons, some of these companies, such as banks, will be heavily inclined to retain authentication of its users, which they can also offer as a service to other entities (as they are already doing in Canada with SecureKey Concierge). Providing these companies with additional tools will benefit the consumers, the ecosystem and the telcos' bottom-line.

At the same time, why would a telco not take advantage of its capabilities, and use the tools offered by other companies, to provide those services itself? It will be up against some stiff competition, but everything is still up for grabs.

As a follow-up to a previous article on SAML, OpenID and OAuth, we are going to use this blog to review the options that different types of companies are taking to protect financial transactions, whether that takes the form of online payments, online banking or other types of activities.

How do banks approach authentication, authorization, identity and security?

Banks have traditionally done their own authentication and authorization, and for legal and liability reasons, they are unlikely to outsource this capability in the near- or medium-term. This means that they may act as identity providers for others, but are unlikely to be the relying party within an authentication / identity system.

In the case of the Canadian government - although it is SecureKey Concierge that creates the government's required framework of reliability, security and privacy - it was decided to keep identity providers to major financial institutions. This makes sense for several reasons:

The five major Canadian banks cover the vast majority of Canadian consumers, meaning that working with a few providers can give a very good population coverage

In the case of the US, the National Strategy for Trusted Identities in Cyberspace (NSTIC), of which FCCS is a component, and the Credential and Access Management (ICAM) program have decided to allow a much larger range of identity providers, that include banks (Citi), security companies (Symantec, VeriSign and DigiCert), telcos (Verizon) and technology companies (Google and PayPal) among others.

Clearly the trust networks being built are only as safe and secure as the identity providers (IdP). So how do these companies create a secure environment to enable this new ecosystem? How do they protect their communication with the end-user and then with the relying party?

In general, whether the identity provider is a trusted bank or a technology company, the processes are similar:

Communication with the end-user is done over HTTPS (an implementation of the Secure Socket Layer protocol), where the channel is encrypted and the servers identify each other via certs provided by world-wide recognized Certificate Authorities (such as VeriSign).

This is also how these companies protect their customers and users when they are logging in to the services they provide themselves, be it online banking, digital wallet or even e-mail.

Communication with the relying party can be done in a number of different ways, including three we have already discussed in some detail in a previous blog on this site - OpenID, OAuth and SAML.

It is very interesting to realize that, although the information being relayed from the user to the IdP may change - from the traditional username and password, to pins, knowledge-based information or even biometrics - the technology that protects that information, as critical as it may be, is the same that has been in place for a good number of years now.

Question: Why aren't more banks taking part in overall authentication and identity efforts such as FIDO and NSTIC?

To answer this question, one must first understand Rogers current forays beyond wireless into publishing, home monitoring and even payments. Only after we have a clear picture of the company's past and present, will we be able to understand where it wants to go.What is Rogers Communications? Rogers is Canada's largest mobile carrier, with 9.4 million mobile subscribers in the second quarter of 2013, followed by Bell and Telus, both of which have between 7 and 8 million mobile subscribers. It also operates Canadian cable TV and Internet subsidiaries. As of June 30, Rogers had about 1.9 million Internet customers and 2.2 million cable TV subscribers.

In addition, Rogers Media owns Canada's largest publishing company, Rogers Publishing Limited, which has more than 70 consumer and business publications, 51 radio and television stations, including RDeals - local daily deals service that was closed earlier this year - and The Shopping Channel which is Canada's home shopping service. Rogers Media also operates the Toronto Blue Jays baseball team and holds a 50% ownership in Dome Productions, a mobile production and distribution joint venture that is a leader in high-definition television production and broadcasting in Canada. In 2011, Rogers launched Rogers Home Monitoring, a home monitoring service which utilizes both its wireless network and cable network. Since then, Roger has also launched other digital services, such as OutRank - suite of digital marketing services to Canadian small business - and Vinicity - loyalty and marketing automation platform for small- and medium-size businesses. Also of interest is Rogers' investment in Zoove, the sole provider of StarStar numbers, an advertising service that allows businesses to send media content to consumers that dial a StarStar number.

As of September of 2013, Rogers Communications, with permission from the Office of the Superintendent of Financial Institutions, also holds a banking license under the Bank Act which is primarily focused on credit, payment and charge card services. It seems that Rogers plans to launch a plastic credit card in 2014, following a pilot with a number of its customers. A mobile version should soon follow. The idea would be for Rogers credit-cardholders to accumulate loyalty points, maybe from spending on eligible Rogers services, which can then be redeemed for other Rogers services. To minimize risk, initially Rogers might only offer this card to its own customers, for whom it has an extensive history (credit history, tenure with the carrier, spending habits...), but this could change as the company gains experience and brand recognition in this new activity. If we consider Les Riedl, senior managing partner at the U.S.-based consultancy Bank Solutions Group, comment to Mobile Payments Today on the Canadian credit card market:

"Canada is one of the most heavily 'carded' countries in the world," he said. "All the top six Canadian banks have a credit card penetration rate of at least 50 percent of their customer base, and two of them have a 60 percent penetration rate. It's difficult for a new entrant to launch credit cards in Canada, although Rogers will have the advantage of being able to target its extensive customer database."

Rogers current forays in and around paymentsLet's first review the steps that Rogers has taken so far around payments -

EnStream - A joint venture of Canada's three main telecom carriers (Rogers, BCE Inc's Bell Canada and Telus Corp) launched in 2005 to help Canadian financial institutions, telcos and merchants introduce mobile payments.

In 2009, EnStream launched Zoompass, a mobile-based, stored-value payment service with a companion contactless payment card, which was sold to Paymobile in 2012, as EnStream focused on their role as a Trusted Service Manager and provider of a common mobile commerce interface to be used by other wallets.

Just as in the case of EnStream, Rogers’ SureTap service is eventually expected to store virtual debit cards, driver’s licences, health cards, loyalty cards, gift cards, store cards, security credentials and transit passes.

SureTap Wallet - On November 7th of this year, Rogers launched the SureTap Wallet, which will initially offer a co-branded virtual Rogers Prepaid MasterCard as well as "gift cards from select national retailers".

What is clear is that longer term, Rogers would like its SureTap Wallet to be an open wallet that hosts cards from all major banks, retailers, and many other companies, along with the virtual version of its own credit card.

Rogers Bank - What is the upside?

Clearly, Rogers is interested in mobile payments, so how will the company's banking license help it get ahead in this space?

Having its own card will make Rogers less dependent on traditional card issuers, which so far have been slow to adopt digital and mobile payments solutions in general, and Rogers' and EnStream solutions in particular.

Rogers customer base is larger than those of Canada's largest banks, thus giving the company quick access to over a third of the country's population.

Payment data, from transactions on Rogers and other services, will provide additional insights to use for its marketing and advertising solutions.

The wireless provider could develop a differentiated rewards program - based on mobile airtime rewards - to help it achieve top-of-wallet status in a crowded card market. In fact, if this type of rewards program is well received, it may 'force' issuers to strike partnerships with telcos to also offer airtime as part of their programs.

But the play can be much larger. As pointed out by Christie Christelis, president of the Canadian research firm Technology Strategies International, to Mobile Payments Today, Rogers may eventually offer the card to non-customers and use this new communication channel to attract them to its mobile, TV and Internet services: 'Even a 2 percent increase in mobile, TV and Internet subscribers from marketing the card would be very profitable for Rogers.'

Even further, it could seamlessly integrate the SureTap Wallet into its cable TV offering, for example with The Shopping Channel or with advertising in its sports channels, to enable tCommerce and provide deep discounts or other benefits when using its credit card for purchases. This would greatly increase SureTap's number of touch-points with consumers while providing further utility for them, not to mention revenue growth for advertisers and content providers due to ease of purchase, and increased loyalty to the channels providing these services.

All in all, although there are certainly many risks and unknowns around this new venture, there is also great potential upside.

1) If you are sending your password to some central authority, you already lost the battle

Third parties that hold information, including username / password, for thousands or millions of accounts, are high-priority targets for fraudsters and criminals. Keeping your information protected in your device can be much safer.

2) Fraud through malware is a big challenge facing the authentication community

These attacks can take place during log-in or at any time during a session, which highlights the importance of continuous behavioral analysis that will allow to step up authentication as necessary.

3) A solution need not be universally accepted to be relevant and successful

A sentence was said that caught my attention, it was something like: Even if we create a solution that is 1,000 times more secure, and 1,000 times more convenient, still not everybody would be behind it. Any time you have a change in technology, there is a natural fear and doubt that kicks in.

Gaining acceptance takes time, even with a great solution. Gaining universal acceptance may not be realistic, or even desirable, since different situations will require different solutions - for example, logging into your account when using your laptop, your smart phone or your Google Glass.

4) There is no standard 'acceptable margin of error'. It depends on the application

The acceptable margin of error is in the eyes of the user and the relying party and will be in-line with the consequences of a false positive or false negative. The acceptable margin of error changes greatly for an anti-spam program, access to Facebook and a $10,000 transfer.

5) The MNOs can bring a lot of value to the authentication process

MNOs have many capabilities that can greatly enrich the authentication process, such as recognition/reputation of the device, geolocation, geofencing, tenure of the relationship with the user...

The main barrier to using all these capabilities is the speed at which the authentication needs to take place versus the time it takes the MNOs to provide the information.

6) The question of who is liable for the authentication remains an unanswered

There are a number of business and legal structures that can be applied to determine liability, but in general, the entity that holds the business relationship with the end-party will also be liable for breaches.

All the companies in the panel (OneID, Iovation, HID Global and Natural Security) are technology providers to the companies that have the business relation with the end-customer - be it a consumer or another company. In general, they will hot be held legally liable.

Federated IdentityFederated identity is the means of linking a person's electronic identity and attributes, stored across multiple distinct identity management systems. This means that a service or application does not need to obtain and store users’ credentials in order to authenticate users; Rather it can use another service or application, that is already storing the users' electronic identities, as a trusted identity management system to authenticate the user.

For example, Facebook Connect is a federated identity management system. Weebly, the web-hosting service that I use to publish this site lets you sign-up and sign-in using your Facebook credentials. This means Weebly is no longer responsible for authenticating the user, Facebook is. Both Weebly and I trust Facebook to be my identity provider by safely storing my credentials (currently, username and password) and correctly authenticating me.

Another example, this time in the public arena, is the UK Government Department for Work and Pensions allowing UK residents to sign-up and sign-into its website to manage benefit claims using their login information from one of eight providers, all private companies, including Experian and PayPal. Just as in the prior case, this means that the UK Government is no longer responsible for authenticating each person, it trusts those eight companies to authenticate users on its behalf (although I imagine the liability for erroneous authentication still falls on the side of the government).

Two of the key benefits of federated identity are:

Users only need to remember a few sets of credentials - from those companies they trust to safeguard their identity - and can use them to sign into many different sites

The identity providers have identity management as one of their, or possibly their only, core competencies. The level of security and protection of personal data will, in all likelihood, be much higher that that of a generic service or app

It is important to highlight that although it is a third party that authenticates the user, it is the service or app itself that authorizes the user, meaning that it is in control of the level of access the user has to different resources and functions. There is a clear and complete split between authentication and authorization.

SAML, OpenID and OAuth

These are three different FID standards that were originally built to address very different needs:

SAML was developed in 2002 by the OASIS Security Services Technical Committee as an XML-based open standard for exchanging authentication and authorization between parties. It's main purpose was to facilitate Single Sign-On (SSO) for enterprise users.

OpenID is an open standard released in 2006 with the same purpose as SAML (SSO) but for consumer apps and services

OAuth also became available in 2006 as an open standard to allow apps to share information via APIs with the right level of authorization

It is important to note that SAML and OpenID were both authentication protocols, but OAuth was an authorization protocol (OAuth stands for Open Authorization). Now a days, they are all grouped under the banner of federated identity standards because of how they have evolved, but strictly speaking, OAuth was not a federated identity standard at its inception (one could argue that it is still not).

The Evolution of OpenID and OAuth to OpenID Connect and OAuth 2.0

In a nutshell, Open ID gives you one log-in for multiple sites. For example, when you need to log into LifeJournal, a site that accepts OpenID, you will be redirected to the provider of your OpenID, for example a WordPress blog (more on this later), for the provider to authenticate you, and then redirected back to LifeJournal. As explained above, and as the case with federated identity in general, LifeJournal is no longer responsible for authenticating the user. Both LifeJournal and the user trust a third-party identity provider to correctly authenticating the user.Figure 1 is a flowchart graphically representing the interactions we have just described.

Figure 1 - OpenID Flow

When Brad Fitzpatrick and team first created OpenID, they were looking to develop a protocol that made it possible for a commenter to claim her comments on someone else’s blog. For the commenter, she could claim her posts and build a reputation; for the blog owner, he had a way to recognize and link readers' comments. Given this context, all that was required in the early days of OpenID was to uniquely identify an individual thus allowing them to establish identity across contexts. There was no suggestion of two web apps or websites sharing data, except possibly, very general information, such as address or phone number, but only with the users explicit consent. This allowed users to hold a single account, at say yahoo.com, but sign in to third party sites using “non-correlatable identifiers”, enabling users to keep their identity private across all their interactions. It was also important for OpenID to keep authentication capabilities decentralize. That means, that there is not a single Identity Provider or even a small set of Identity Providers that users can choose from. Any site can offer the service - such as any site created with WordPress. Then it is up to users and websites to choose the third parties they want to trust for authentication purposes.The role of OAuth is different. It lets you authorize one website – the consumer – to access user data from another website – the provider. For instance, a user wants to authorize her favorite social network to grab her contacts info from her e-mail provider. The social network will redirect the user to her e-mail provider so that she can be authenticated. Once she had authenticated herself (this authentication step is totally orthogonal to the OAuth process), the e-mail provide will ask her to confirm that she wants to share her contact info with the social network. If she confirms, the e-mail provider will send the data requested to the social network. Figure 2 below is a flowchart graphically representing the interactions we have just described.

Figure 2 - OAuth Flow

Both OpenID and OAuth were published in 2006 and they have evolved over a number of releases, gaining in flexibility, security and overall capabilities.

Starting in May 2008, Facebook launched Facebook Connect, a new authentication protocol built on top of OAuth by adding an authentication layer on top of the authorization standard that set restrictions and specific security and encryption requirements. Overtime, Facebook Connect evolved to use OAuth 2.0 (a version of the OAuth spec published in October 2012) and other similar services, also based on OAuth 2.0, emerged, such as Twitter and Google Connect. The focus of these protocols was authentication with profile portability - sharing app-specific user information at time of authentication - facilitated by OAuth data-sharing capabilities.In spite of interoperability issues, these proprietary protocols were viewed as more valuable by service providers than traditional OpenID because the focus is to authenticate but also to share information between apps, which can greatly benefit service providers and websites in general. OpenID Connect represents years of work to align consumer Identity Providers (i.e. MSFT, Google, Yahoo…) and other industry participants on a single profile of OAuth 2.0 for authentication. Now, most of the consumer Identity Providers, such as Google or MSFT, provide solutions that fully support required features of OpenID Connect.

Although SAML 1.0 was released in 2002, the version most widely used today, SAML 2.0, was released in 2005. SAML was designed to cover B2B, as well as B2C scenarios, although its implementation proved to be too complicated to gain mass adoption among smaller B2C players, which have mostly elected to implement OpenID, and more recently, OpenID Connect.SAML defines XML-based assertions and protocols, bindings, and profiles. A profile describes how all the other elements are combined to support a use case. The most widely used SAML profile, and also the one one which we are focused here, is the Web Browser Single Sign On Profile.

An assertion contains a packet of security information, usually transferred from identity providers to service providers. Assertions contain statements that service providers use to make access control decisions.

A SAML protocol describes how certain SAML elements (including assertions) are packaged within SAML request and response elements, and gives rules about how to process those packages. For the most part, a SAML protocol is a simple request-response protocol.

A SAML binding is a mapping of a SAML protocol message onto standard messaging formats and/or communications protocols. For example, the SAML over SOAP or SAML over HTTP.

Depending on the protocol and binding chosen, the communication flows between the parties can vary greatly, which provides the benefit of flexibility, but the simplest cases align with the OpenID flow that we described above.Security has always been an absolutely key requirement for SAM, and it has a variety of security mechanisms at transport- and message-level:

An example of a very public project that has deployed SAML is Healthcare.gov. In the case of this project, SAML is used to connect the Healthcare.gov server with the servers from a number of federal and state entities, such as Social Security, IRS, Medicare and Medicaid... This ensures that the exchange of personal data between the agencies and Healthcare.gov stays private and secure.

While HealthCare.gov is using SAML 2.0 they are not using a standard deployment profile [...]The industry puts time and effort into producing profiles and testing against them, to reduce integration problems when people deploy federations. The [id]Management.gov for the US Gov is clear on its deployment profile for SAML SSO.

One of the problems the insurers had integrating with HealthCare.gov was a divergence they made from these profiles in what they were sending to the insurers.

How does SAML compare to OpenID Connect?

Although in the 2000s, SAML had levels of flexibility, security and reliability much greater than OpenID, OAuth or any combination of those two standards, the latest versions of OpenID Connect and OAuth 2.0 provide most, if not all, the benefits that SAML brings to the table. For example, from a security perspective, OpenID Connect can now offer ISO/IEC 29115 Level of Assurance 1 to 4, leveraging on crypto and other techniques.

From BayPay Forum Events Page: The 'Authentication and Identity Wars' are well underway, but everything is still to be defined. This is the perfect moment to get fully engaged and involved in the industry, and what better way to do it than with your BayPay Forum colleagues!

We are thrilled to invite you to the first event of the Authentication and Identity Track, a series of panels around authentication, security and identity management as they apply to payments, commerce, banking and beyond. This first event will allow us to set the stage and review some of the leading solutions and ongoing initiatives. It will be the starting point for future, more in-depth, conversations with key ecosystem players - merchants, processors, banks, MNOs - covering their most pressing challenges and biggest opportunities in the U.S. and world-wide. Continued.

Trish's Comment: I am very excited about BayPay Forum's next event on October 15th. It will be the first event of the new Authentication and Identity Track, which I am chairing.

This first event will allow us to set the stage and review some of the leading solutions and on-going initiatives. We will talk about the risks associated with today’s authentication solutions, key industry-wide initiatives, the role of government, privacy, and an array of other subjects such as digital signatures, credential management, identity assurance and biometrics.

We have worked hard to make sure we have a great line-up of companies with different perspectives, and maybe even diverging, views on the industry and how best to solve the authentication and identity challenge.

Below I have included the list of participating companies (in alphabetical order) along with a short description of each of them:

HID Global: Their vision is true, multi-factor authentication providing transparent and convenient protection for online financial services. Multi-factor actually translates to five layers - user, device, channel, transaction and app - that can be implemented in a variety of ways.

Iovation: The company gathers information from a myriad of partners to associate each device with its transactional history and provide a 'device reputation score'. At the risk of over-simplifying, the two main scenarios are: 1. If a consumer tries to transact using a device with no fraud in its history, the transaction is deemed low risk and the consumer can proceed with the transaction. 2. If the device has fraud in its history, other anti-fraud mechanisms (such as KBA) can be used prior to authorizing the transaction.

Natural Security: The company has developed a user authentication mechanism that enables online and in-person transactions by combining a mid-range contactless personal device (something a user has) and biometrics (something a user is).The mid-range contactless technology means users do not have to handle the physical device, it can stay inside a purse or a pocket. A user will just need to place their finger on a fingerprint reader. Everything else happens in the background.To avoid privacy concerns, biometric information is securely stored on the personal device and so it remains under the individual user's control at all times. End-user information and communications are encrypted and also securely stored on the personal device (normally in a secure element).

OneID: The company's ultimate goal is to be the only single digital identity a person will ever need. As it is described on their website: 'OneID uses cryptography to encrypt and lock your data locally at your computer. Your encrypted data is then sent up to the OneID cloud storage repository and remains safely encrypted until you ask for it from an authorized device. Your encrypted data is then sent back to your authorized device where it is decrypted and released to a website, login, form, etc., with your consent. All of that happens in a split second.If for some reason, the OneID repository is hacked, that data is completely useless without the ‘key’ that is stored on your device that unlocks your data. Each OneID user has his/her own key – so any breach will result in zero information being revealed.'Note: Since OneID encompasses authentication, authorization and information sharing, I view the company as an implementation of a private cloud. From my perspective, it goes beyond authentication and tries to provide a holistic 'data view' of the individual

RSA Silver Tail: The approach RSA Silver Tail is taking is quite different from the other companies discussed so far. Their focus is behavioral analytics applied to web sessions. In layman terms: Is the behavior of a user consistent with the the profile of good behavior we have previous defined for a specific website? Is the behavior of a large set of users similar enough across all of them to suspect a botnet?

These are all very different, and in some ways complementary, approaches to solving the authentication and identity equation. I anticipate a very lively discussion and hope to see you all there!